The legislation passed May 17 on a voice vote and now goes to the Senate, where its prospects are uncertain.

Should the bill become law, major agencies would create IT capital funds in which they could recover savings from IT modernization initiatives, such as moving systems and data to the cloud, rather than returning the money back to the Treasury. An agency, in theory, that decreases costs by using new technologies or employing cloud services could retain the savings for up to three years if those savings go toward additional IT modernization projects.

Baked-in Security

Supporters of modernizing IT point out that many newer systems are created with security baked in; they're also easier to patch with security updates than most legacy systems. "It will keep our digital infrastructure safe from cyberattacks while saving billions of dollars," bill sponsor Rep. Will Hurd, R-Texas, said on the House floor.

The Trump administration is a big supporter of IT modernization. The cybersecurity executive order signed by President Donald Trump earlier this month includes a provision that calls for the government to replace legacy systems (see Trump Finally Signs Cybersecurity Executive Order). To oversee IT modernization, the administration has established the American Technology Council, a multiagency organization that the president technically chairs but is being overseen by his son-in-law and senior adviser Jared Kushner.

Modernizing federal IT has bipartisan support. The Obama administration promoted the idea of modernizing federal government IT in an April 2016 initiative (see White House Proposes $3 Billion Fund to Modernize Federal IT). "Many federal systems are exceedingly difficult to defend, due to their age, and the only way to remedy that situation is to change the IT," says Michael Daniel, president of the Cyber Threat Alliance, a not-for-profit, industry-sponsored information sharing and analysis organization and former Obama White House cybersecurity coordinator.

Misguided Notion?

But skeptics of IT modernization question whether it will actually improve security. Former CIA CISO Robert Bigman, an IT security consultant, characterizes modernizing IT to provide stronger security as a "misguided notion. ... This is not an evidence-based observation and is largely pushed by IT vendors/contractors. The notion that the same people who could not secure older and simpler technology can now better secure modern and more complicated IT is ludicrous."

Internet Security Alliance President Larry Clinton suggests modernizing technology, on its own, won't bolster security. "The government already has purchased advanced technology but doesn't have the personnel to properly use it and thus these investments are largely wasted," he says. "We need to modernize our IT systems, which includes upgrading the personnel as well as the technology."

Slow Start in Senate

Legislation similar to the House IT modernization bill was introduced in the Senate on April 28 and assigned to the Homeland Security and Governmental Affairs Committee. The measure has yet to be scheduled for a hearing or vote. The Senate generally lags behind the House in tackling cybersecurity legislation.

Still, a number of senators have lined up to support the measure. Sen. Tom Udall, D-N.M., cites the global WannaCry ransomware attack - which has exploited older versions of the Microsoft operating systems - as a reminder that antiquated systems need to be replaced to enhance cybersecurity. "The federal government continues to rely on grossly outdated IT systems that make us vulnerable to such damaging cyberattacks," Udall says. "Maintaining old IT systems is a security risk and costs taxpayers billions of dollars each year."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.